Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Embedded Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
Servers
Web Server (HTTPD)
Web Server Security

  Switch on low bandwidth view
Web Server Security
Windows Mobile SupportedWindows Embedded CE Supported
8/28/2008

The Web Server is designed to run over a network and function as an extensible network server. This topic covers the security risks and best practices for configuring the web server.

The Web Server has the following potential security risks:

  • The Web Server is designed to run over a network. If the device is run over a public network, such as the Internet, and the security of the device is compromised, it could expose the device or the local network to the public network.
  • The Web Server is designed to function as a network server. If the security of the Web Server is compromised, it could expose the device or local network to multiple remote clients.
  • The Web Server is extensible. If the extensions do not use proper security and authentication procedures, they could compromise the security of the device or the local network.

Note:
For Windows Embedded CE: If your Web Server includes WebDAV functionality, see WebDAV Security for additional information.

Limit deployment to ten connections simultaneously

A typical deployment uses a Web Server in a private network to provide a remote user interface to configure a headless device. The registry defines the number of connections and when the MaxConnections registry value is not set, the registry limits the number to 10.

Do not use the Web Server to perform critical operations

A typical deployment uses the Web Server to display status information or to host a family or community Web site. You should not use the Web Server to perform critical operations, such as machine control or financial processing.

Use authentication

Use the NTLM or Basic authentication mechanism to limit access to known users only. You can set the option in the HKEY_LOCAL_MACHINE\COMM\HTTPD registry key. For specific security information, see Base Registry Settings. For more information about authentication, see Web Server Authentication and Permissions.

Use Secure Sockets Layer (SSL)

The SSL protocol helps to protect data from packet sniffing by anyone with physical access to the network. For more information, see SSL Support.

Use user access lists

Carefully choose your virtual roots and limit access to the appropriate files by providing appropriate user access lists. Anonymous users with access to the virtual root may be able to access files and directories within that virtual root. You can set the options in HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS registry key. For specific security information, see Setting Virtual Paths. See also Web Server Authentication and Permissions.

You should be aware of the registry settings that impact security. In the registry settings documentation you will find a Security Note for those values with security implications.

For Web Server registry information, see:

Web Server Registry Settings.

Web Server Security

Web Server Registry Settings

The following table shows the ports that the Web Server uses, for details see Web Server Registry Settings.

Port number Registry values

80

Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD

443

Port value in HKEY_LOCAL_MACHINE\COMM\HTTPD\SSL

In addition to the practices above, the following best practices are recommended for Windows Embedded CE:

Remove or disable sample ISAPIs and other development tools when you create the release image.

Some sample ISAPIs that you include in your device may allow unauthorized users to access your system resources or protected data. Many of the samples provided are for development and debugging purposes only and pose a significant security risk if deployed on a public network.

Enable a firewall on your network device

For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.

For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.

For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker